CVE-2024-10366

EUVD-2025-7108
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other users.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
@huntr_aiCNA
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
librechatlibrechat
0.7.5:rc2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/danny-avila/librechat/commit/a350443661d001ac55787741969a75d94ca14116
https://huntr.com/bounties/cde47cf8-dc81-46ab-b472-f7e44a981a7e